Post Syndicated from jzb original https://lwn.net/Articles/993660/
Version
24.10 of the Ubuntu distribution is out. This release includes GNOME 47, Linux 6.11,
security enhancements for managing Personal Package Archives (PPAs),
experimental security controls for Snap packages, and more.
Post Syndicated from Abhishek Gupta original https://aws.amazon.com/blogs/aws/convert-aws-console-actions-to-reusable-code-with-aws-console-to-code-now-generally-available/
Today, we are announcing the general availability (GA) of AWS Console-to-Code that makes it easy to convert AWS console actions to reusable code. You can use AWS Console-to-Code to record your actions and workflows in the console, such as launching an Amazon Elastic Compute Cloud (Amazon EC2) instance, and review the AWS Command Line Interface (AWS CLI) commands for your console actions. With just a few clicks, Amazon Q can generate code for you using the infrastructure-as-code (IaC) format of your choice, including AWS CloudFormation template (YAML or JSON), and AWS Cloud Development Kit (AWS CDK) (TypeScript, Python or Java). This can be used as a starting point for infrastructure automation and further customized for your production workloads, included in pipelines, and more.
Since we announced the preview last year, AWS Console-to-Code has garnered positive response from customers. It has now been improved further in this GA version, because we have continued to work backwards from customer feedback.
New features in GA
Getting started with AWS Console-to-Code
Let’s begin with a simple scenario of launching an Amazon EC2 instance. Start by accessing the Amazon EC2 console. Locate the AWS Console-to-Code widget on the right and choose Start recording to initiate the recording.
Now, launch an Amazon EC2 instance using the launch instance wizard in the Amazon EC2 console. After the instance is launched, choose Stop to complete the recording.
In the Recorded actions table, review the actions that were recorded. Use the Type dropdown list to filter by write actions (Write). Choose the RunInstances action. Select Copy CLI to copy the corresponding AWS CLI command.
This is the CLI command that I got from AWS Console-to-Code:
aws ec2 run-instances \
--image-id "ami-066784287e358dad1" \
--instance-type "t2.micro" \
--network-interfaces '{"AssociatePublicIpAddress":true,"DeviceIndex":0,"Groups":["sg-1z1c11zzz1c11zzz1"]}' \
--credit-specification '{"CpuCredits":"standard"}' \
--tag-specifications '{"ResourceType":"instance","Tags":[{"Key":"Name","Value":"c2c-demo"}]}' \
--metadata-options '{"HttpEndpoint":"enabled","HttpPutResponseHopLimit":2,"HttpTokens":"required"}' \
--private-dns-name-options '{"HostnameType":"ip-name","EnableResourceNameDnsARecord":true,"EnableResourceNameDnsAAAARecord":false}' \
--count "1"This command can be easily modified. For this example, I updated it to launch two instances (--count 2) of type t3.micro (--instance-type). This is a simplified example, but the same technique can be applied to other workflows.
I executed the command using AWS CloudShell and it worked as expected, launching two t3.micro EC2 instances:
The single-click CLI code generation experience is based on the API commands that were used when actions were executed (while launching the EC2 instance). Its interesting to note that the companion screen surfaces recorded actions as you complete them in console. And thanks to the interactive UI with start and stop functionality, its easy to clearly scope actions for prototyping.
IaC generation using AWS CDK
AWS CDK is an open-source framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. With AWS Console-to-Code, you can generate AWS CDK code (currently in Java, Python and TypeScript) for your infrastructure workflows.
Lets continue with the EC2 launch instance use case. If you haven’t done it already, in the Amazon EC2 console, locate the AWS Console-to-Code widget on the right, choose Start recording, and launch an EC2 instance. After the instance is launched, choose Stop to complete the recording and choose the RunInstances action from the Recorded actions table.
To generate AWS CDK Python code, choose the Generate CDK Python button from the dropdown list.
You can use the code as a starting point, customizing it to make it production-ready for your specific use case.
I already had the AWS CDK installed, so I created a new Python CDK project:
mkdir c2c_cdk_demo
cd c2c_cdk_demo
cdk init app --language python
Then, I plugged in the generated code in the Python CDK project. For this example, I refactored the code into a AWS CDK Stack, changed the EC2 instance type, and made other minor changes to ensure that the code was correct. I successfully deployed it using cdk deploy.
I was able to go from the console action to launch an EC2 instance and then all the way to AWS CDK to reproduce the same result.
from aws_cdk import (
Stack,
aws_ec2 as ec2,
)
from constructs import Construct
class MyProjectStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
existing_vpc = ec2.Vpc.from_lookup(self, "ExistingVPC",
is_default=True
)
instance = ec2.Instance(self, "Instance",
instance_type=ec2.InstanceType("t3.micro"),
machine_image=ec2.AmazonLinuxImage(),
vpc=existing_vpc,
vpc_subnets=ec2.SubnetSelection(
subnet_type=ec2.SubnetType.PUBLIC
)
)
You can also generate CloudFormation template in YAML or JSON format:
Preview code
You can also directly access AWS Console-to-Code from Preview code feature in Amazon EC2 and Amazon EC2 Auto Scaling group launch experience. This means that you don’t have to actually create the resource in order to get the infrastructure code.
To try this out, follow the steps to create an Auto Scaling group using a launch template. However, instead of Create Auto Scaling group, click Preview code. You should now see the options to generate infrastructure code or copy the AWS CLI command.
Things to know
Here are a few things you should consider while using AWS Console-to-Code:
Now available
AWS Console-to-Code is available in all commercial Regions. You can learn more about it in the Amazon EC2 documentation. Give it a try in the Amazon EC2 console and send feedback to the AWS re:Post for Amazon EC2 or through your usual AWS Support contacts.
Post Syndicated from Mohammed Alkateb original https://aws.amazon.com/blogs/big-data/unleash-deeper-insights-with-amazon-redshift-data-sharing-for-data-lake-tables/
Amazon Redshift has established itself as a highly scalable, fully managed cloud data warehouse trusted by tens of thousands of customers for its superior price-performance and advanced data analytics capabilities. Driven primarily by customer feedback, the product roadmap for Amazon Redshift is designed to make sure the service continuously evolves to meet the ever-changing needs of its users.
Over the years, this customer-centric approach has led to the introduction of groundbreaking features such as zero-ETL, data sharing, streaming ingestion, data lake integration, Amazon Redshift ML, Amazon Q generative SQL, and transactional data lake capabilities. The latest innovation in Amazon Redshift data sharing capabilities further enhances the service’s flexibility and collaboration potential.
Amazon Redshift now enables the secure sharing of data lake tables—also known as external tables or Amazon Redshift Spectrum tables—that are managed in the AWS Glue Data Catalog, as well as Redshift views referencing those data lake tables. This breakthrough empowers data analytics to span the full breadth of shareable data, allowing you to seamlessly share local tables and data lake tables across warehouses, accounts, and AWS Regions—without the overhead of physical data movement or recreating security policies for data lake tables and Redshift views on each warehouse.
By using granular access controls, data sharing in Amazon Redshift helps data owners maintain tight governance over who can access the shared information. In this post, we explore powerful use cases that demonstrate how you can enhance cross-team and cross-organizational collaboration, reduce overhead, and unlock new insights by using this innovative data sharing functionality.
Amazon Redshift data sharing allows you to securely share your data with other Redshift warehouses, without having to copy or move the data.
Data shared between warehouses doesn’t require the data to be physically copied or moved—instead, data remains in the original Redshift warehouse, and access is granted to other authorized users as part of a one-time setup. Data sharing provides granular access control, allowing you to control which specific tables or views are shared, and which users or services can access the shared data.
Since consumers access the shared data in-place, they always access the latest state of the shared data. Data sharing even allows for the automatic sharing of new tables created after that datashare was established.
You can share data across different Redshift warehouses within or across AWS accounts, and you can also do cross-region data sharing. This allows you to share data with partners, subsidiaries, or other parts of your organization, and enables the powerful workload isolation use case, as shown in the following diagram. With the seamless integration of Amazon Redshift with AWS Data Exchange, data can also be monetized and shared publicly, and public datasets such as census data can be added to a Redshift warehouse with just a few steps.
Figure 1: Amazon Redshift data sharing between producer and consumer warehouses
The data sharing capabilities in Amazon Redshift also enable the implementation of a data mesh architecture, as shown in the following diagram. This helps democratize data within the organization by reducing barriers to accessing and using data across different business units and teams. For datasets with multiple authors, Amazon Redshift data sharing supports both read and write use cases (write in preview at the time of writing). This enables the creation of 360-degree datasets, such as a customer dataset that receives contributions from multiple Redshift warehouses across different business units in the organization.
Figure 2: Data mesh architecture using Amazon Redshift data sharing
In the modern data organization, the data lake has emerged as a centralized repository—a single source of truth where all data within the organization ultimately resides at some point in its lifecycle. Redshift Spectrum enables seamless integration between the Redshift data warehouse and customers’ data lakes, as shown in the following diagram. With Redshift Spectrum, you can run SQL queries directly against data stored in Amazon Simple Storage Service (Amazon S3), without the need to first load that data into a Redshift warehouse. This allows you to maintain a comprehensive view of your data while optimizing for cost-efficiency.
Figure 3: Amazon Redshift bridges the data warehouse and data lake by enabling querying of data lake tables in-place
Redshift Spectrum supports a variety of open file formats, including Parquet, ORC, JSON, and CSV, as well as open table formats such as Apache Iceberg, all stored in Amazon S3. It runs these queries using a dedicated fleet of high-performance servers with low-latency connections to the S3 data lake. Data lake tables can be added to a Redshift warehouse either automatically through the Data Catalog, in the Amazon Redshift Query Editor, or manually using SQL commands.
From a user experience standpoint, there is little difference between querying a local Redshift table vs. a data lake table. SQL queries can be reused verbatim to perform the same aggregations and transformations on data residing in the data lake, as shown in the following examples. Additionally, by using columnar file formats like Parquet and pushing down query predicates, you can achieve further performance enhancements.
The following SQL is for a sample query against local Redshift tables:
The following SQL is for the same query, but against data lake tables:
To maintain robust data governance, Redshift Spectrum integrates with AWS Lake Formation, enabling the consistent application of security policies and access controls across both the Redshift data warehouse and S3 data lake. When Lake Formation is used, Redshift producer warehouses first share their data with Lake Formation rather than directly with other Redshift consumer warehouses, and the data lake administrator grants fine-grained permissions for Redshift consumer warehouses to access the shared data. For more information, see Centrally manage access and permissions for Amazon Redshift data sharing with AWS Lake Formation.
In the past, however, sharing data lake tables across Redshift warehouses presented challenges. It wasn’t possible to do so without having to mount the data lake tables on each individual Redshift warehouse and then recreate the related security policies.
This barrier has now been addressed with the introduction of data sharing support for data lake tables. You can now share data lake tables just like any other table, using the built-in data sharing capabilities of Amazon Redshift. By combining the power of Redshift Spectrum data lake integration with the flexibility of Amazon Redshift data sharing, organizations can unlock new levels of cross-team collaboration and insights, while maintaining robust data governance and security controls.
For more information about Redshift Spectrum, see Getting started with Amazon Redshift Spectrum.
In this post, we describe how to add data lake tables or views to a Redshift datashare, covering two key use cases:
The first use case provides greater flexibility and convenience. Consumers can query the shared view without having to configure fine-grained permissions. The configuration, such as defining permissions on data stored in Amazon S3 with Lake Formation, is already handled on the producer side. You only need to add the view to the producer datashare one time, making it a convenient option for both the producer and the consumer.
An additional benefit of this approach is that you can add views to a datashare that join data lake tables with local Redshift tables. When these views are shared, you can relegate the trusted business logic to just the producer side.
Alternatively, you can add data lake tables directly to a datashare. In this case, consumers can query the data lake tables directly or join them with their own local tables, allowing them to add their own conditional logic as needed.
When you create data lake tables that you intend to add to a datashare, the recommended and most common way to do this is to add a view to the datashare that references a data lake table or tables. There are three high-level steps involved:
The following diagram illustrates the full workflow.
Figure 4: Sharing data lake tables via Amazon Redshift views
The workflow consists of the following steps:
After these steps are complete, database consumer users with access to the datashare views can reference them in their SQL queries. The following SQL queries are examples for achieving the preceding steps.
Create a data lake table on the producer warehouse:
Create a view on the producer warehouse:
Add a view to the datashare on the producer warehouse:
Create a consumer datashare and grant permissions for the view in the consumer warehouse:
Adding a data lake table to a datashare is similar to adding a view. This process works well for a case where the consumers want the raw data from the data lake table and they want to write queries and join it to tables in their own data warehouse. There are two high-level steps involved:
The following diagram illustrates the full workflow.
Figure 5: Sharing data lake tables directly in an Amazon Redshift datashare
The workflow consists of the following steps:
The following SQL queries are examples for achieving the preceding producer steps.
Create a data lake table on the producer warehouse:
Add a data lake schema and table directly to the datashare on the producer warehouse:
Create a consumer datashare and grant permissions for the view in the consumer warehouse:
Data lake tables are stored outside of Amazon Redshift, in the data lake, and may not be owned by the Redshift warehouse, but are still referenced within Amazon Redshift. This setup requires special security considerations. Data lake tables operate under the security and governance of both Amazon Redshift and the data lake. For Lake Formation registered tables specifically, the Amazon S3 resources are secured by Lake Formation and made available to consumers using the provided credentials.
The data owner of the data in the data lake tables may want to impose restrictions on which external objects can be added to a datashare. To give data owners more control over whether warehouse users can share data lake tables, you can use session tags in AWS Identity and Access Management (IAM). These tags provide additional context about the user running the queries. For more details on tagging resources, refer to Tags for AWS Identity and Access Management resources.
When sharing data lake objects through a datashare, there are special logging considerations to keep in mind:
ExternalId field under the AssumeRole CloudTrail logs. The data owner can configure additional limitations on data access in an IAM policy by means of actions. For more information about defining data access through policies, see Access to AWS accounts owned by third parties.The billing model for Redshift Spectrum differs for Amazon Redshift provisioned and serverless warehouses. For provisioned warehouses, Redshift Spectrum queries (queries involving data lake tables) are billed based on the amount of data scanned during query execution. For serverless warehouses, data lake queries are billed the same as non-data-lake queries. Storage for data lake tables is always billed to the AWS account associated with the Amazon S3 data.
In the case of datashares involving data lake tables, costs are attributed for storing and scanning data lake objects in a datashare as follows:
For detailed information on Redshift Spectrum billing, refer to Amazon Redshift pricing and Billing for storage.
In this post, we explored how Amazon Redshift enhanced data sharing capabilities, including support for sharing data lake tables and Redshift views that reference those data lake tables, empower organizations to unlock the full potential of their data by bringing the full breadth of data assets in scope for advanced analytics. Organizations are now able to seamlessly share local tables and data lake tables across warehouses, accounts, and Regions.
We outlined the steps to securely share data lake tables and views that reference those data lake tables across Redshift warehouses, even those in separate AWS accounts or Regions. Additionally, we covered some considerations and best practices to keep in mind when using this innovative feature.
Sharing data lake tables and views through Amazon Redshift data sharing champions the modern, data-driven organization’s goal to democratize data access in a secure, scalable, and efficient manner. By eliminating the need for physical data movement or duplication, this capability reduces overhead and enables seamless cross-team and cross-organizational collaboration. Unleashing the full potential of your data analytics to span the full breadth of your local tables and data lake tables is just a few steps away.
For more information on Amazon Redshift data sharing and how it can benefit your organization, refer to the following resources:
Please also reach out to your AWS technical account manager or AWS account Solutions Architect. They will be happy to provide additional guidance and support.
Mohammed Alkateb is an Engineering Manager at Amazon Redshift. Prior to joining Amazon, Mohammed had 12 years of industry experience in query optimization and database internals as an individual contributor and engineering manager. Mohammed has 18 US patents, and he has publications in research and industrial tracks of premier database conferences including EDBT, ICDE, SIGMOD and VLDB. Mohammed holds a PhD in Computer Science from The University of Vermont, and MSc and BSc degrees in Information Systems from Cairo University.
Ramchandra Anil Kulkarni is a software development engineer who has been with Amazon Redshift for over 4 years. He is driven to develop database innovations that serve AWS customers globally. Kulkarni’s long-standing tenure and dedication to the Amazon Redshift service demonstrate his deep expertise and commitment to delivering cutting-edge database solutions that empower AWS customers worldwide.
Mark Lyons is a Principal Product Manager on the Amazon Redshift team. He works on the intersection of data lakes and data warehouses. Prior to joining AWS, Mark held product leadership roles with Dremio and Vertica. He is passionate about data analytics and empowering customers to change the world with their data.
Asser Moustafa is a Principal Worldwide Specialist Solutions Architect at AWS, based in Dallas, Texas. He partners with customers worldwide, advising them on all aspects of their data architectures, migrations, and strategic data visions to help organizations adopt cloud-based solutions, maximize the value of their data assets, modernize legacy infrastructures, and implement cutting-edge capabilities like machine learning and advanced analytics. Prior to joining AWS, Asser held various data and analytics leadership roles, completing an MBA from New York University and an MS in Computer Science from Columbia University in New York. He is passionate about empowering organizations to become truly data-driven and unlock the transformative potential of their data.
Post Syndicated from Stephanie Doyle original https://www.backblaze.com/blog/is-ai-right-for-your-business-4-questions-to-ask/
AI is everywhere—powering chatbots, generating images, even deciding what you binge watch next. It’s no wonder businesses of all sizes are feeling compelled to jump on the AI bandwagon. But before you get swept up in the AI hype, here’s the question you need to ask: Is AI right for your business and the problem you’re trying to solve?
Where AI truly becomes a change agent is when it is powered by your organization’s data to deliver relevant, insightful, and actionable observations to you in a timely manner. The reality is, while AI is really cool, without your unique data it provides your organization few competitive advantages. Of course, releasing proprietary, or even sensitive, information to a robot connected to the internet can be risky—and you want to make sure your (and your clients’) information doesn’t end up in surprising places.
But just because everyone’s talking about AI doesn’t mean it’s the magic bullet for every problem. Like any strategic investment, it takes careful consideration. So, before you hand over your data to a machine, let’s explore whether AI is really what your business needs—or if it’s just another shiny object in the tech landscape.
Today, many organizations are somewhere along the AI/ML path. Most are experimenting with AI, some are actively building applications, and a handful have successfully deployed a solution. Like any other project, before you start trying to use AI in your organization, the first thing you should do is define the problem you are trying to solve. Only then can you determine if you really need AI as a part of the solution.
Ask yourself the following questions about the project. If you answer yes to all four items, the project is AI-worthy:
Start by identifying the business problem in specific, measurable terms. Determine the scope of the problem, its frequency, and the impact it has on your business. Is it recurring and time consuming? If the problem is complex, repetitive, or data-intensive, it might be suitable for AI.
If the problem involves large amounts of data that is difficult to process manually where the answer is derived by combining and weighing multiple factors, it may be a candidate for an AI-based solution. On the other hand, just because it can be automated doesn’t mean you need an AI solution—AI is expensive in terms of power and processing resources. If you’re running a simple routine task over and over, you might be just as well off using traditional programming methods. But, when you’re solving a complex task, you need a structure that is not a strict binary, and that’s when you might want to use AI.
AI should help your organization solve problems it finds extremely difficult or nearly impossible to solve otherwise. AI excels at tackling complex problems that overwhelm traditional methods, such as processing vast amounts of data, recognizing intricate patterns, or making real-time predictions. If your business is facing challenges that manual processes or standard software can’t handle effectively, AI can step in to provide powerful, scalable solutions that would otherwise be out of reach.
But remember, AI should work with you, not against you. Understand how AI will integrate into your workflow and whether it aligns with your overall business strategy to avoid creating unnecessary complications or disrupting ongoing operations.
Most AI projects are productivity based, even those that seem otherwise. Even AI projects aimed at improving customer experiences, like personalized recommendations, ultimately enhance productivity by streamlining interactions and reducing manual effort. At their core, most AI implementations are designed to automate tasks, optimize processes, or extract actionable insights, all of which drive greater efficiency and cost savings. And, that means you need to analyze the potential return on investment (ROI).
AI integration requires an investment in technology, data management, and often specialized personnel. Weigh the cost of implementing AI against the potential benefits it could bring. Will it save time or reduce costs? By how much? If the financial or productivity benefits outweigh the costs, AI may be a worthwhile investment.
Clearly defining the problem and deciding if it’s suitable for an AI-based solution is really just the first step. Once the problem is defined, you open up another set of questions around whether and how to implement it. Do you have the right data, resources, and expertise to support an AI solution? How will it integrate with your systems? How will you measure success? The answers to all of these questions should absolutely inform your decision-making, but understanding if you’re applying AI to the right problem is your starting point. Without that, you’re using a sledgehammer to crack a nut, so to speak.
The post Is AI Right for Your Business? 4 Questions to Ask appeared first on Backblaze Blog | Cloud Storage & Cloud Backup
Post Syndicated from Talks at Google original https://www.youtube.com/watch?v=zgg9ZMZ-LsE
Post Syndicated from Anna Montalat original https://aws.amazon.com/blogs/security/strengthening-security-in-the-era-of-generative-ai-must-attend-sessions-at-reinvent-2024/
/
Generative AI is transforming industries in new and exciting ways every single day. At Amazon Web Services (AWS), security is our top priority, and we see security as a foundational enabler for organizations looking to innovate. As you prepare for AWS re:Invent 2024, make sure that these essential sessions are on your schedule to learn how security can help your organization innovate with generative AI solutions quickly and securely. Leading experts will provide deep insights into how you can secure generative AI workloads in order to protect data and navigate governance, risk, and compliance.
In this post, we’ve highlighted some of our must-attend sessions and favorite activities for security leaders and practitioners, technical decision-makers, and artificial intelligence and machine learning (AI/ML) builders. To join in on the fun, register here, and we’ll see you in Vegas!
The AWS re:Invent 2024 keynote and innovation talks offer the opportunity to gain direct, transformative insights from senior AWS leaders. Delve into the latest breakthroughs in generative AI, cloud security, and cutting-edge architectural innovations that are redefining the future of application development and the AWS Cloud.
Discover a range of learning opportunities designed to deepen your expertise in securing generative AI. This year’s sessions put a strong focus on providing customers with impactful real-world, practical prescriptions for securing your AI workloads and the data that powers them. Whether you prefer lecture-style breakout sessions, interactive chalk talks, hands-on workshops, or code-driven discussions, there’s a session tailored to help meet your needs. Explore the following options and reserve your spot to enhance your understanding and practical skills in this rapidly evolving field.
You can find more details and descriptions for session levels (100–400) and session types on the re:Invent website.
Breakout sessions are lecture-style, 1-hour sessions delivered by AWS experts, customers, and partners—perfect for deepening your knowledge on important topics, gaining actionable insights, and connecting with industry leaders.
Chalk talks are 1-hour long, highly interactive sessions with a small audience. This format is ideal for diving deep into specific topics, engaging directly with AWS experts, and getting your questions answered in real time.
Code talks are similar to our popular chalk talk format, but with a focus on live coding or code samples rather than whiteboarding. These sessions look into the actual code used to build a solution, allowing attendees to understand the “why” behind the approach and witness the development process, including any errors that may arise. Participants are encouraged to ask questions and follow along for a deeper, hands-on learning experience.
Interact with small groups, led by an AWS expert providing interactive learning about how to build on AWS. Each builders’ session begins with a short explanation or demonstration of what attendees are building, then it’s your turn to build! The expert will guide you end-to-end through this hands-on experience.
Note: You must bring your own laptop to participate in these sessions.
Workshops are 2-hour interactive sessions where you collaborate in teams or work individually to solve real-world challenges by using AWS services, making them perfect for hands-on learning. Each workshop begins with a brief lecture, followed by dedicated time to work through the problem.
Note: Don’t forget to bring your laptop to build alongside AWS experts.
Want to talk directly with an AWS security expert on generative AI security, or a variety of other security topics? Then don’t miss this opportunity to have one-on-one conversations with leading AWS security experts in the Security Activation area of the expo floor to help you take your organization’s security posture to new heights.
Delve into key security domains such as:
After an inspiring week of transformative insights and deep learning, join us for the world renowned re:Play party—the ultimate re:Invent sendoff! Immerse yourself in live entertainment from headlining musical artists, scrumptious cuisine, and flowing refreshments as we come together to unwind, connect, and toast to a future of limitless possibilities.
It’s going to be an amazing event, and we can’t wait to see you at re:Invent 2024! Register now to secure your spot.
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.
Post Syndicated from Matt Granger original https://www.youtube.com/watch?v=xDPBn99UvKk
Post Syndicated from corbet original https://lwn.net/Articles/993337/
At the recently concluded Maintainers Summit, it was generally agreed that the Rust experiment would
continue, and that the path was clear for more Rust code to enter the
kernel. But the high-level view taken at such gatherings cannot always
account for the difficult details that will inevitably arise as the Rust
work proceeds. A recent discussion on the nouveau mailing list may have
escaped the notice of many, but it highlights some of the problems that
will have to be worked out as important functionality written in Rust heads
toward the mainline.
Post Syndicated from Йоанна Елми original https://www.toest.bg/kakvo-shte-se-ili-niama-da-se-promeni-sled-izborite-v-usa/
Ето едно парадоксално изречение: инфлацията в САЩ е спаднала от 9,1% през юни 2022 г. на 2,5% през август 2024 г., но цените за потребителите остават рекордно високи и вероятно ще се задържат на това ниво. Оставяме на икономистите да спорят защо е така, на какво се дължи и за кого е добре. Важното е, че за повечето американци увеличението на цените на стоките от първа необходимост, както и на цените на жилищата остава основно притеснение месец преди изборите.
Вече говорихме за икономиката, както и кои са другите основни приоритети пред американския избирател на приближаващите избори, може би най-важните в съвременната история на САЩ. Визиите на двамата кандидати за бъдещето са коренно противоположни, поне на хартия.
Доналд Тръмп предлага завръщане в славното минало с орязване на данъците и социалните услуги, силно влияние на консервативно-християнското лоби в страната, продължаваща безусловна подкрепа за Израел в Близкия изток, антиимигрантска и ксенофобски ориентирана политика и изолационизъм на САЩ с основен фокус върху конкуренцията с Китай.
Камала Харис обещава засилване на социалните политики, облагане на най-богатите с данъци, дипломатически усилия за прекратяване на бойните действия в Палестина, защита на човешките права и утвърждаване на разделението между религия и държава. Макар и силно втвърдена, позицията на демократите спрямо имиграцията остава по-отворена и по-скоро базирана на факти (както и повечето им политики).
Въпреки силната поляризация и привидния сблъсък на непреодолими различия, реалността в САЩ все още остава споделена. Отвъд гръмките заглавия демократите заемат позиции, които бихме очаквали да бъдат подкрепяни от републиканците… и обратното.
Президентът Джо Байдън например остави в сила т.нар. Разпоредба 42, която разрешава на САЩ да експулсират мигранти по бърза процедура, включително и хора, които търсят убежище. От март 2020 г. до януари 2021 г., когато Тръмп напусна Белия дом, експулсираните по тази процедура са 400 000. По времето на Байдън броят на върнатите нараства до 2 млн. души за периода януари 2021 г. – 11 май 2023 г., когато изтече извънредното положение, въведено заради COVID-19.
Друг пример е бившата първа дама Мелания Тръмп: въпреки че републиканците използват подчертано хомофобска реторика, това не е попречило на г-жа Тръмп да приеме над четвърт милион долара хонорар, за да говори пред консервативна ЛГБТИ+ група.
Независимо дали на изборите ще победи Тръмп, или Харис, културните войни в САЩ – а и по света – ще продължат, докато продължават и несигурните времена, в които живеем. Копнежът по пасторално минало, което никога не е съществувало, както и по традиции, които никой не може да дефинира ясно, е характерен феномен за години на криза. Подходящи примери са феминизмът и дебатът за мястото на жената в обществото, особено след отмяната на правото на аборт от Върховния съд през 2022 г. Според демографските проучвания е по-вероятно за Републиканската партия да гласуват американските мъже, отколкото жените. Тези разлики са особено осезаеми при по-младите избиратели.
Еманципацията на жените и новите дефиниции на социалните роли (какво се очаква от мъжа или жената) водят до реакционерство, което се проявява по най-различни начини – например с призиви да се отнеме правото на жените да работят и да бъдат ограничени само в домашната сфера. Отправят ги определени американски християнски организации, близки до кандидат-вицепрезидента Джей Ди Ванс. Самият Джей Ди Ванс не подкрепя подобни радикални позиции открито, а по-скоро завоалирано – например защо една жена би искала да се върне на работа 6 седмици след като е родила.
Това, което Джей Ди Ванс представя едва ли не като желание на жените и прехвърля като вина върху тях – а именно, че трябва да се върнат на работа бързо след раждането, – демократите разглеждат като проблем на нерегулирания корпоративен капитализъм. САЩ е единствената държава в развития свят, която не предлага някаква форма на платено майчинство – дали жената ще има такова, или не, зависи от работодателя. Кандидат-президентката на демократите Камала Харис обеща неколкократно по време на кампанията си, че американците ще получат помощ „в грижата за близките си, независимо дали става въпрос за нов член на семейството, или грижа за болен близък“. Дискусии за подобно законодателство се водят от 80-те години насам.
82% от американците смятат, че трябва да има платено майчинство и платен болничен отпуск. Независимо от партийните пристрастия, подкрепящите платеното отсъствие от работа смятат, че разходите трябва да се поемат от работодателя. Кой обаче да задължи работодателя, ако голяма част от същите американци считат, че държавният контрол по-скоро вреди, отколкото помага на бизнеса?
Този парадокс е стар, колкото и държавата, но е особено актуален през последните 40 години, в които консервативната партия заема агресивна позиция спрямо федералното правителство, агитирайки едва ли не за неговото пълно обезоръжаване и премахване. „Антирегулаторната“ позиция обаче рухва в момента, в който започнем да задаваме конкретни въпроси: допустимо ли е например да няма регулация на качеството на храните и безопасността на околната среда? Повечето анкетирани променят позицията си, когато се говори конкретно.
Шест от десет американци казват, че държавната регулация на бизнеса е нужна, за да се защити общественият интерес. Значителна част обаче мислят, че държавната намеса по-скоро вреди, отколкото помага. Същевременно бедността и неравенствата се задълбочават. Все повече млади хора не могат да си позволят собствен дом и семейство – в САЩ няма безплатни детски градини до петгодишна възраст, а цените на платените грижи растат главоломно. В същото време минималната работна заплата е на едни и същи нива от години, докато заплатите на корпоративните изпълнителни директори са нараснали с 1085% от 1978 г. насам. За същия период обикновените работници са получили увеличение от 24%.
Сама по себе си консервативната пробизнес и антидържавна реторика не би могла да урони престижа на държавата до такава степен, още повече ако приемем, че изначалният идеологически дебат в САЩ е колко „държава“ всъщност трябва, за да живее едно общество добре (с две думи: федералистите казват – повече, а антифедералистите – по-малко). Такова уронване на доверието трябва да бъде подпомогнато и от самата държава. Корупцията е точно толкова американска, колкото и кънтри музиката или идеята за личната свобода на индивида като необходимост за пълноценно съществуване.
В историята на държавата се редуват периоди на силно институционално недоверие с такива на доверие, като в годините след Втората световна война доверието нараства около кризи като 11 септември и в момента е с рекордно ниски стойности (с лек възход в периода около началото на пандемията, но и с точно толкова бърз спад).
Много американци смятат – и то не от вчера, – че политическите донори и лобистите имат твърде голямо влияние върху политиката, а обикновените граждани – твърде малко. Това мнение преобладава както сред демократите, така и сред републиканците, като по въпроса се наблюдава рядък и изключително широк консенсус. Голям брой американци подкрепят и ограничения в размерите на даренията за политици и техните кампании: въпрос, по който нито един от кандидатите за президент няма силна кампанийна позиция. Причините вероятно са обясними.
Недоверието не е ограничено само до изпълнителната или до законодателната власт. Доверието във Върховния съд на САЩ достига исторически ниски стойности: половината от запитаните американци имат по-скоро негативно отношение. Тук картината е по-различна по партийна линия – тъй като настоящият съд е консервативен, републиканците имат по-високо доверие към съда, отколкото демократите – въпреки безпрецедентните корупционни скандали. Такъв се вихри около върховния съдия Кларънс Томас, който се оказва лесна мишена за търговия с влияние посредством луксозни подаръци, почивки и дори плащане на такса за университета на роднина на Томас от бизнесмен, чиито дела се гледат от съда.
Независимо кой от настоящите проблеми на САЩ изберем – регулацията на оръжията, климатичните промени, правото на аборт и свобода на избор за жените или дори демографската криза, – следният порочен кръг може да бъде приложен. Първо, проблемът е част от културните войни – буквалисткото тълкуване на Втората поправка за наличието на добре въоръжена милиция, отричането на човешкото влияние върху климатичните промени, религиозните аргументи срещу абортите и обвиняването на феминизма, имиграцията и други фактори за ниската раждаемост.
Второ, всеки проблем има свое лоби. Според лобистката база данни на Open Secrets само през 2024 г. оръжейното лоби е похарчило 6,4 млн. долара за своите цели. Всяка година в периода от 1998-ма до 2022-ра средствата за лобизъм срещу регулацията на оръжията надхвърлят многократно сумите, похарчени от поддържащите ограничаването на достъпа до оръжия. Производителите на горива, които допринасят за парниковия ефект, са похарчили 71,9 млн. долара за лобизъм през 2024 г. Примерите са твърде много, за да бъдат изброени.
Трето, институциите не могат да работят ефективно, когато пропагандата, търгуването с влияние и подкупите са инструменти за упражняване на власт. И двамата кандидати дават заявки за справяне с различни аспекти на определени проблеми – въпросът е доколко е възможно в рамките на системата, която произвежда тези проблеми. Необходими са реформи, които биха ограничили и самите политици – за подобни промени съществуват прецеденти в историята, но обикновено се правят след големи кризи. Такъв е примерът за регулаторното и социалното законодателство от 20-те и 30-те години на миналия век, както и периодът от края на Втората световна война до 80-те (иронично, точно нататък са се запътили поддръжниците на Тръмп, които обаче отхвърлят голяма част от същите политики, довели до следвоенния просперитет на страната).
В своя книга, посветена на бедността в САЩ, пастор д-р Уилям Джей Барбер Трети пише за социалните движения в историята на страната, които обединяват всякакви хора – консерватори, демократи, бели и черни – в името на обща кауза. Днес обществото в САЩ е особено разделено по всякакви линии на идентичността, включително пол, сексуална принадлежност и религия. Но основните проблеми, както и техните решения често получават подкрепа от мнозинството – това потвърждават и данните.
От двамата кандидат-президенти Камала Харис, изглежда, разбира това, защото предлага на избирателите си не минало, а бъдеще. Доколко е възможно да го превърне в реалност, е много по-трудният въпрос, на който няма как да отговорим. Що се отнася до Доналд Тръмп, претенциите, че той ще се справи с ръждивите чаркове на т.нар. естаблишмънт, или традиционен политически елит, остават силно преувеличени, ако съдим по първия му мандат. Без „държава“, институции и поне малко бюрокрация една територия се превръща във феодален къс земя, подчинен на капризите на този или онзи избраник (ако избраникът въобще се занимава с избори). Парадоксът на антидържавността е очевиден при консервативни активисти като бизнесмена Илън Мъск, който разчита на държавни субсидии за всичките си бизнес начинания – 4,9 млрд. долара към 2015 г. и 2,8 млрд. долара само през 2022-ра.
Какво ще се промени и какво няма да се промени след изборите в САЩ, ще разберем едва когато Белият дом приеме новия си обитател. А дотогава ни остава зрелището на демокрацията: не гаранция за утопия, а сложна система, която се самокоригира бавно, но – поне засега – без насилие и кръв. В един все по-нестабилен кървав свят на все по-арогантни диктатори това е немалко постижение.
Post Syndicated from Guy Nir original https://blog.cloudflare.com/whats-new-in-cloudflare-one-digital-experience-dex-monitoring-notifications
At Cloudflare, we are constantly innovating and launching new features and capabilities across our product portfolio. We are introducing roundup blog posts to ensure that you never miss the latest updates across our platform. In this post, we are excited to share two new ways that our customers can continue to keep their web properties performant and secure with Cloudflare One: new Digital Experience Monitoring (DEX) notifications help proactively identify issues that can affect the end-user digital experience, and integration with China Express enables secure access to China-hosted sites for Cloudflare Gateway customers.
As with other notification types, DEX notifications can be configured and reviewed from Cloudflare dashboard notifications.
DEX notifications address the challenge of proactively identifying issues affecting the digital experience of your end users. By monitoring device health and conducting synthetic tests from WARP clients deployed on your fleet’s end-user devices, DEX provides valuable insights. These notifications empower IT administrators to quickly identify and address connectivity and application performance problems before they impact a wide range of users.
By proactively notifying administrators when problems arise, DEX helps minimize user disruption and provides peace of mind. Instead of actively refreshing and looking for issues as before, administrators can now receive immediate notifications. Management is simple, as notifications can be easily configured through the Cloudflare dashboard.
Administrators can now create three new notification types:
1) Device Connectivity Anomaly
Are you tired of manually monitoring your end-users’ device connectivity? Do you want to be notified immediately when there’s a sudden change? Our new DEX notification for Device Connectivity Anomaly alerts you when there’s a significant increase or decrease in the number of monitored devices connecting or disconnecting to the WARP Client. This can be filtered by various characteristics such as data center (“colo”), platform (operating system), and WARP Client version.
We use a statistical method called z-score to detect anomalies in monitored device count. A z-score measures how many standard deviations a data point is from the mean. By comparing the current five minutes of data to the past four hours, we can calculate the mean and standard deviation. If the z-score value exceeds 3.5 or falls below -3.5, a notification is triggered.
Here’s an example of a notification configuration for macOS devices in the UK using WARP Client version 2023.7.24:
2) DEX Test Latency
Ever worry application performance is slow? We’re thrilled to introduce DEX Test Latency notifications, which are designed for administrators who want to stay ahead of the curve when it comes to application performance. This notification proactively alerts you of significant spikes or drops in latency based on:
HTTP Test: Resource Fetch Time measures the time it takes for a web browser to retrieve a specific resource from your application and deliver it to the end user.
Traceroute Test: Round Trip Time measures the average time it takes for data packets to travel from your device to a specific destination IP address and back (when successful). Traceroute tests focus on the overall network performance between the test client/device and your application.
This notification can be filtered by various characteristics such as data center (“colo”), platform (operating system), WARP Client version, and test name.
In this example, you have a DEX test monitoring the latency of the website www.cloudflarestatus.com. This test, named “Cloudflare Status,” uses an HTTP GET request and runs on Windows devices connecting through the Lisbon colo (data center).
3) DEX Test Low Availability
Is application downtime causing headaches for you and your users?
DEX Test Low Availability notifications help maintain optimal application health by notifying you when availability falls below a given threshold. This notification monitors the success rate of HTTP or Traceroute requests sent to an application through pre-configured DEX tests. These synthetic tests simulate user traffic and measure the percentage of successful interactions with your application.
You define the Service Level Objective (SLO) — a specific availability threshold — for each notification. When the percentage of successful requests falls below this threshold, you’ll receive immediate notification, allowing you to proactively address issues before they impact a wide range of end users.
This can be filtered by various characteristics such as colo (data center), platform (operating system), WARP Client version, and test name.
In this example, a DEX test is targeting www.google.com. This Traceroute test runs on Chrome OS devices connecting through the Tel Aviv colo. The example notification is configured to alert you whenever the availability (percentage of successful requests) drops below 98%, allowing you to investigate potential issues and take corrective action quickly.
DEX notifications are now available for Cloudflare One customers. They can be configured by going to Cloudflare Dashboard > Account home > Notifications > Add, and then selecting any of the three DEX notification types. For more information, refer to Create a notification. DEX notifications are one of the many ways the Cloudflare One suite of solutions work seamlessly together as a unified platform to find and fix security issues across SaaS applications. Get started now with Cloudflare’s Zero Trust platform by signing up here.
In January 2023, we proudly launched China Express with multiple partners in China to extend Cloudflare One into China and provide connectivity to ensure that customers within the country could enjoy the same level of access to global services as the rest of the world. Our goal was simple: to deliver a consistent experience for customers and employees everywhere.
Over the past year, we’ve observed a notable increase in demand from enterprise customers seeking secure access to China-hosted sites. These customers, who often require consistent zero trust security policies applied through Cloudflare Gateway, including device posture checks, have faced challenges like scenic routing, where Internet traffic passes through multiple countries or networks, leading to significant packet loss when connecting to these websites.
For example, a global company with offices in both Hong Kong and San Jose has implemented WARP on their devices to manage Internet access. As part of their daily operations, employees need to access websites hosted in mainland China. However, they have experienced unstable connections, particularly when accessing the AWS web console in China. Further investigation revealed long and sometimes unpredictable network routes, contributing to the instability.
Global Internet traffic to and from China flows through a limited number of international links, tightly regulated by government authorities, often leading to significant instability and fluctuations. To address these challenges, our China Express partners offer the ‘Reverse Tunnel’ solution, a reliable service that ensures stable access to Chinese websites, effectively mitigating connectivity issues.
Today, we are thrilled to announce a significant enhancement to China Express: a new offering tailored to the needs of global Cloudflare Gateway customers accessing China-hosted sites. This enhancement introduces a dedicated tunnel configuration, ensuring safe and predictable connectivity while maintaining stringent zero trust security policies.
By partnering with JD Cloud, one of our trusted local providers in China, we’ve developed a solution that seamlessly integrates with Cloudflare’s Zero Trust Firewall DNS Policies by:
Directly routing through our Cloudflare Hong Kong data center: When global Cloudflare Gateway customers attempt to access China-hosted sites, their traffic is routed directly to our Hong Kong data center. This strategic routing point allows us to apply Zero Trust policies before the traffic continues its journey into China.
Using JD Cloud’s connectivity tunnel: From our Cloudflare Hong Kong data center, the traffic is then securely transmitted through JD Cloud’s private tunnel infrastructure, ensuring reliable and efficient connectivity into China. This partnership with JD Cloud leverages their local expertise and infrastructure capabilities, further enhancing the reliability and performance of the connection.
Note: This premium service is exclusive to China Network customers and requires a dedicated reverse tunnel contract with JD Cloud.
This solution offers several key benefits for our customers:
Improved stability: By directing all traffic to a dedicated tunnel, customers experience more reliable connections to websites within China.
Enhanced security: Zero Trust policies are consistently applied to all traffic, regardless of its destination, ensuring the highest level of security for customers accessing China-hosted sites.
Seamless customer experience: With a dedicated tunnel configuration, customers can access websites in China with confidence, knowing that their connections are both safe and predictable. Whether it’s multinational corporations expanding into the Chinese market, e-commerce platforms serving Chinese customers, or remote workers accessing corporate resources from within China, Cloudflare’s China Express with JD Cloud partnership provides a solution tailored to their specific needs.
By having companies implement a DNS host override policy in Cloudflare Gateway for origins in China, which routes traffic through the China Express Reverse Tunnel instead of using public Internet routes, companies can ensure more stable and reliable connections for their employees.
Looking ahead, we remain committed to continuously improving and expanding our offerings within China Express. Future developments may include further enhancements to performance, additional partnerships with local providers, and ongoing innovation to meet the evolving needs of our customers in the region.
We’ll continue to share roundup blog posts as we continue to build and innovate. Be sure to follow along on the Cloudflare Blog for the latest news and updates.
Post Syndicated from CJ Desai original https://blog.cloudflare.com/cj-desai-why-i-joined-cloudflare
I am thrilled to embark on this journey to run Product and Engineering at Cloudflare, driving forward the mission of helping build a better Internet.
While I was a graduate student at University of Illinois, the university introduced the Mosaic web browser to students. In addition to being super easy to install and use, it displayed pictures next to text for the first time. This may not seem impressive today, but back then it felt like a magical step forward.
This simple but powerful upgrade opened up the once niche user base from academics to the masses, transforming the world wide web to become an Internet phenomenon. Since then, I’ve always sought to be part of teams that worked on transformational technologies, including Software-as-a-Service, cloud computing, and AI. Innovation is the life blood of every technology company. To this day, I’m inspired by building products and technology that get adopted at mass scale.
The world is in a very interesting moment for technological innovation: the AI landscape is uncharted and developing at an exponential rate; the urgency for enterprises to reduce tech debt and reliance on legacy applications is at an all time high; multi-cloud deployments are becoming a reality for optimal performance and global scale; and high performance connectivity is table stakes. Cloudflare finds itself in a compelling position at the intersection of these key themes. We are uniquely poised to drive disruption and empower customers to do the same as they transform their businesses, and I’m excited to use my experience to help move our mission forward.
In order to reach massive scale, platforms need to be extensible (i.e., they need to be able to grow easily). The best way to do this is by knowing your customers’ biggest pain points and improving the core experience while creating adjacent products that solve their most challenging problems. Combined with being obsessed with your customers getting value and having a deep understanding of how the technology landscape is evolving around you, it becomes a powerful growth strategy.
This was the approach that I took during my time at ServiceNow, and one of the reasons why we were able to build the product business from $1.5 billion to $10+ billion in annualized revenue.
Cloudflare’s Connectivity Cloud — an innovative cloud native platform of security, network connectivity, and developer solutions — provides a unique foundation for driving value, no matter the industry. I’m excited to help Cloudflare further grow and refine our product offerings, while ensuring they are purpose-built and scalable to meet the needs of our growing customer base. Together, we can create solutions that empower any organization to enhance its global online presence while maintaining security and performance at the forefront.
It was very clear as I met many amazing people at Cloudflare, including co-founders Matthew Prince and Michelle Zatlyn, that the team takes pride in solving deep technical Internet infrastructure problems while putting customers first. In addition to working with world-class product and engineering teams, I am looking forward to collaborating with the wider business, our partners, and our customers to realize the potential of Cloudflare’s people, platform, and organic growth. I’m looking forward to helping build a better Internet with Cloudflare!
Post Syndicated from Chris Betz original https://aws.amazon.com/blogs/security/how-aws-uses-active-defense-to-help-protect-customers-from-security-threats/
AWS is deeply committed to earning and maintaining the trust of customers who rely on us to run their workloads. Security has always been our top priority, which includes designing our own services with security in mind at the outset, and taking proactive measures to mitigate potential threats so that customers can focus on their businesses with confidence. We continuously innovate and invest in advancing our security capabilities.
To help prevent security incidents from disrupting our customers’ businesses, we need to stay ahead of potential threats, and protect customers quickly when we become aware of activities that could be potentially harmful to them. We’ve previously shared details about our sophisticated global honeypot system MadPot and our massive internal neural network graph model Mithra. These are two examples of internal threat intelligence tools that we use to take proactive, real-time action to help prevent a potential threat from becoming a real security issue for our customers.
I mentioned another internal threat intelligence tool called Sonaris in my recent re:Inforce keynote. Sonaris is an active defense tool that analyzes potentially harmful network traffic so that we can quickly and automatically restrict threat actors who are hunting for exploitable vulnerabilities. With MadPot, Mithra, and Sonaris in the hands of our world-class security teams, AWS is equipped with powerful, actionable threat intelligence on a scale that is only possible with AWS. This blog post covers why and how we use Sonaris behind the scenes to help protect customers, and how we know our threat intelligence is having measurable results.
As organizations have migrated to the cloud over the last decade, threat actors have evolved their tactics to exploit environments that aren’t properly secured. In 2017, our security teams observed an increasing number of unauthorized attempts to scan (systematic examination through digital means and tools) and probe AWS customer accounts—activities conducted by threat actors who were hunting for Amazon Simple Storage Service (Amazon S3) buckets that customers unintentionally configured with public access. To help address this security issue on behalf of our customers, AWS security teams developed active defense capabilities to help detect these kinds of suspicious scanning behaviors and then restrict the actions that malicious actors might take to further improperly access a customer’s S3 bucket.
This novel approach to a new cloud-era security challenge evolved to become the threat intelligence tool we now call Sonaris, which today identifies and automatically restricts unauthorized scanning and S3 bucket discovery within minutes at global scale. Sonaris applies security rules and algorithms to identify anomalies from over two hundred billion events each minute. Preventing opportunistic attempts from threat actors to discover and exploit misconfigurations or out-of-date software represents a significant leap forward in our security capabilities at AWS.
How do we know that the network mitigations performed by Sonaris are actually making a difference for our customers? We can compare threat activity between MadPot sensors, with and without Sonaris protections. To do this, we use MadPot to construct two separate large-scale fleets of honeypot testing groups to compare statistics for each security configuration. One group is protected by our perimeter security controls fed by Sonaris analytics, and a separate fleet receives no protection. This allows us to measure the protective coverage of hosts within the AWS network perimeter.
Findings from these split testing groups underscore the sheer volume of potential threats that Sonaris manages to thwart, and the ongoing work behind the scenes to enhance the security of AWS infrastructure. For example, across the hundreds of different types of malicious interactions that MadPot classified, Sonaris observed an 83% reduction in abuse attempts in September 2024. In the past 12 months, Sonaris denied more than 27 billion attempts to find unintentionally public S3 buckets, and prevented nearly 2.7 trillion attempts to discover vulnerable services on Amazon Elastic Compute Cloud (Amazon EC2). This protection drastically reduces risk for AWS customers.
Sonaris plays a critical role in helping to secure AWS and our customers by detecting and then restricting certain suspicious behavior aimed at AWS infrastructure and services. Its capabilities are built on the integration of both network telemetry sources across AWS, plus our threat intelligence data. What sets Sonaris apart is its integration of AWS network telemetry with Amazon threat intelligence to provide safe and effective threat mitigation to reduce indiscriminate scanning activity.
Sonaris applies heuristic, statistical, and machine learning algorithms to vast amounts of the summarized metadata and service health telemetry that we use to operate our services. One threat intelligence source that Sonaris uses is MadPot, which receives traffic on tens of thousands of IP addresses every day. MadPot emulates hundreds of different services and mimics customer accounts, and then classifies these interactions into known Common Vulnerabilities and Exposures (CVEs) and other vulnerabilities. Through MadPot, Sonaris can also integrate additional high-fidelity signals that help identify activities of threat actors with enhanced precision. First-party threat intelligence collected from MadPot increases Sonaris confidence and accuracy for automatically restricting known malicious vulnerability enumeration attacks so that customers are protected automatically.
When Sonaris identifies malicious attempts to scan an AWS IP address or customer account, it triggers automated protections in AWS Shield, Amazon Virtual Private Cloud (Amazon VPC), Amazon S3, and AWS WAF, automatically protecting customer resources from unauthorized activity in real time. Sonaris is judicious about what activities it restricts, only intervening when there is a sufficiently high assurance that the interactions are malicious. For example, to help ensure that legitimate customer interactions are not restricted, we developed dynamic guardrail models to identify what normal behavior looks like in AWS services so that only suspicious activities are detected and acted on. We update and refresh these guardrail models constantly with our latest observations to help avoid taking action on legitimate customer activities.
Throughout 2023 and 2024, a large active botnet known as Dota3 has been scanning the internet for vulnerable hosts and devices to install cryptominer malware (malicious software designed to secretly use a victim’s computer or device resources). Sonaris has been effectively protecting customers from this botnet, even as the botnet’s operators try new ways to evade defenses. In Q3 2024, we observed this botnet’s scanning behavior change as it began using different payloads, rates, and endpoints, as shown in the following figure. Thanks to the layered detection methods of Sonaris, this botnet was unable to avoid our automatic detection. Sonaris automatically protected customers from more than 16,000 malicious scanning endpoints each hour.
Figure 1: Dota3 botnet activity suddenly changes in September 2024
Although Sonaris reduces risk, it does not eliminate it entirely, and our work is far from over. As we continue to evolve and strengthen our security measures, AWS remains committed to making the internet a safer place so that customers can thrive in an increasingly complex digital landscape while maintaining a strong security posture. Through the creation of active security tools such as Sonaris, and our customers’ diligent application of security best practices, we can collectively create a more secure cloud environment for all.
Your feedback is crucial to us and we encourage you to leave comments, reach out to our customer support teams, or engage with us through your preferred channels. Together, we can shape the future of cloud security and stay ahead of emerging threats.
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.
Post Syndicated from CJ Desai original https://blog.cloudflare.com/cj-desai-why-i-joined-cloudflare
I am thrilled to embark on this journey to run Product and Engineering at Cloudflare, driving forward the mission of helping build a better Internet.
While I was a graduate student at University of Illinois, the university introduced the Mosaic web browser to students. In addition to being super easy to install and use, it displayed pictures next to text for the first time. This may not seem impressive today, but back then it felt like a magical step forward.
This simple but powerful upgrade opened up the once niche user base from academics to the masses, transforming the world wide web to become an Internet phenomenon. Since then, I’ve always sought to be part of teams that worked on transformational technologies, including Software-as-a-Service, cloud computing, and AI. Innovation is the life blood of every technology company. To this day, I’m inspired by building products and technology that get adopted at mass scale.
The world is in a very interesting moment for technological innovation: the AI landscape is uncharted and developing at an exponential rate; the urgency for enterprises to reduce tech debt and reliance on legacy applications is at an all time high; multi-cloud deployments are becoming a reality for optimal performance and global scale; and high performance connectivity is table stakes. Cloudflare finds itself in a compelling position at the intersection of these key themes. We are uniquely poised to drive disruption and empower customers to do the same as they transform their businesses, and I’m excited to use my experience to help move our mission forward.
In order to reach massive scale, platforms need to be extensible (i.e., they need to be able to grow easily). The best way to do this is by knowing your customers’ biggest pain points and improving the core experience while creating adjacent products that solve their most challenging problems. Combined with being obsessed with your customers getting value and having a deep understanding of how the technology landscape is evolving around you, it becomes a powerful growth strategy.
This was the approach that I took during my time at ServiceNow, and one of the reasons why we were able to build the product business from $1.5 billion to $10+ billion in annualized revenue.
Cloudflare’s connectivity cloud — an innovative cloud native platform of security, network connectivity, and developer solutions — provides a unique foundation for driving value, no matter the industry. I’m excited to help Cloudflare further grow and refine our product offerings, while ensuring they are purpose-built and scalable to meet the needs of our growing customer base. Together, we can create solutions that empower any organization to enhance its global online presence while maintaining security and performance at the forefront.
It was very clear as I met many amazing people at Cloudflare, including co-founders Matthew Prince and Michelle Zatlyn, that the team takes pride in solving deep technical Internet infrastructure problems while putting customers first. In addition to working with world-class product and engineering teams, I am looking forward to collaborating with the wider business, our partners, and our customers to realize the potential of Cloudflare’s people, platform, and organic growth. I’m looking forward to helping build a better Internet with Cloudflare!
Post Syndicated from corbet original https://lwn.net/Articles/993608/
Mozilla has released Firefox versions 131.0.2, ESR 128.3.1, and ESR
115.16.1. These updates address a
severe, remotely exploitable code-execution vulnerability that is
evidently already being exploited. Updating to a fixed release seems like
a wise thing to do.
Post Syndicated from jake original https://lwn.net/Articles/993596/
Greg Kroah-Hartman has announced the release of the 6.11.3, 6.10.14, 6.6.55, and 6.6.56 stable kernels. The 6.6.56 release
fixes a problem with building perf in 6.6.55; “If you do not use the
“. Meanwhile,
perf tool in the 6.6.y tree, there is no need to upgrade.
6.10.14 is the last of the 6.10.y series, so users should now be moving to
6.11.y. Other than 6.6.56, they contain the usual long list of important
fixes throughout the kernel tree.
Post Syndicated from jake original https://lwn.net/Articles/993595/
Security updates have been issued by Debian (chromium), Fedora (firefox, koji, unbound, webkit2gtk4.0, and xen), Red Hat (glibc, net-snmp, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, buildah, cups-filters, liboath-devel, libreoffice, libunbound8, podman, and redis), and Ubuntu (cups-browsed, cups-filters, edk2, linux-raspi-5.4, and oath-toolkit).
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2024/10/deebot-robot-vacuums-are-using-photos-and-audio-to-train-their-ai.html
An Australian news agency is reporting that robot vacuum cleaners from the Chinese company Deebot are surreptitiously taking photos and recording audio, and sending that data back to the vendor to train their AIs.
Ecovacs’s privacy policy—available elsewhere in the app—allows for blanket collection of user data for research purposes, including:
- The 2D or 3D map of the user’s house generated by the device
- Voice recordings from the device’s microphone
- Photos or videos recorded by the device’s camera
It also states that voice recordings, videos and photos that are deleted via the app may continue to be held and used by Ecovacs.
No word on whether the recorded audio is being used to train the vacuum in some way, or whether it is being used to train a LLM.
Slashdot thread.
Post Syndicated from LastWeekTonight original https://www.youtube.com/watch?v=E8ygQ2wEwJw
Post Syndicated from The Atlantic original https://www.youtube.com/watch?v=MYMfre5ViJw
Post Syndicated from Bozho original https://blog.bozho.net/blog/4407
Нещо отдавна закъсняло, с което се заех в предния парламент и ще продължа: пълна дигитализация на болничните листове, за да не се налага работниците и служителите да разнасят хартии, а работодателите да ги съхраняват.
Данните за болничните вече се обменят електронно между институциите и НОИ ги получава автоматично. Но не така стоят нещата с работодателите, които все още трябва да ги получават и съхраняват на хартия от служителите.
Казусът опира до това как по сигурен начин работодателят да получи електронния болничен лист, за да бъде надлежно уведомен. И отговорът, който аз давам е: чрез системата за сигурно електронно връчване на Министерството на електронното управление, ако работодателят е регистриран там.
Размених кореспонденция с институциите и е нужна още работа по изчистване на процеса и граничните случаи (напр. служител с двама работодатели, от които единият няма профил в системата), но това може да бъде свършено за няколко месеца, заедно с надграждането на системите на НОИ.
За да дигитализираме докрай и този процес, който засяга милиони служители. Още повече, при наличието на телемедицина, която приехме наскоро, болничен лист ще може да се издава и от разстояние.
Материалът Пълна дигитализация на болничните листове е публикуван за пръв път на БЛОГодаря.